Hey, Oracle, what’s in that VirtualBox security update? *crickets*

It’s not just Microsoft keeping schtum¹ on exactly what’s inside its software updates.

Oracle is keeping details of security patches for its VirtualBox hypervisor software a secret, members of the Debian team pointed out this week².

Back in July³, Oracle emitted a big batch⁴ of updates for its products, including new features in VirtualBox and a fix for a vulnerability in the application labeled CVE-2015-2594⁵ . All we were told at the time about the bug was that it involves guest OSes using bridged networking over Wi-Fi, and affects versions prior to 4.3.30 on Windows, Linux and Mac OS X hosts.

Gianfranco Costamagna, one of the small team who packages VirtualBox⁶ for GNU/Linux Debian users, asked the VBox developers for more info⁷ or at least a separate patch for just the security side of the update at the time, but got no response.

On Sunday this week, the penguinistas decided it was time to push out Oracle’s updates for VirtualBox . The hypervisor software is mostly open source, but it is not clear in among all the other changes and new features in the software where the vulnerability fix lies .

We’ve tried diff’ing versions of the source code, and nothing has jumped out at us let us know if you can home in on it.

Ideally, having the security patch identified means people can access how dangerous the flaw is and also apply the patch to stable versions of VirtualBox for people who just want security fixes and no more new features.

“This update fixes an unspecified security issue in VirtualBox related to guests using bridged networking via Wi-Fi,” Debian’s Moritz Muehlenhoff wrote in an advisory⁸ on Sunday about the VirtualBox package update.

“Oracle no longer provides information on specific security vulnerabilities in VirtualBox .

To still support users of the already released Debian releases we’ve decided to update these to the respective 4.1.40 and 4.3.30 bugfix releases.”

Muehlenhoff told The Reg Oracle’s documentation for its latest batch of software updates was “so vague” it’s impossible to tell exactly what has been fixed in the code.

“Oracle no longer provides information on specific security vulnerabilities in VirtualBox.” Say whaaat? http://t.co/JQvHTXsgFb⁹

The Register (@TheRegister) September 14, 2015¹⁰

We understand that Oracle keeps a lid on the security patches it issues for other open-source code it maintains, but has until now been more, well, open about VirtualBox vulnerabilities .

A spokesperson for Oracle did not return our request for comment.

In August, the database giant threw its chief security officer under a bus¹¹ after she posted, on blogs.oracle.com, a rant against reverse-engineering and bug bounties.

References

1. ^{^} keeping schtum (www.theregister.co.uk)
2. ^{^} pointed out this week (seclists.org)
3. ^{^} in July (www.theregister.co.uk)
4. ^{^} a big batch (www.oracle.com)
5. ^{^} CVE-2015-2594 (security-tracker.debian.org)
6. ^{^} packages VirtualBox (wiki.debian.org)
7. ^{^} for more info (www.virtualbox.org)
8. ^{^} advisory (www.debian.org)
9. ^{^} http://t.co/JQvHTXsgFb (t.co)
10. ^{^} September 14, 2015 (twitter.com)
11. ^{^} under a bus (www.theregister.co.uk)

The post Hey, Oracle, what’s in that VirtualBox security update? *crickets* appeared first on News4Security.